AC-711 Allow org admins to see all users.

2026-03-13 23:17:32 -02:30 · 2013-11-21 11:20:48 -05:00
parent f4e9b9ce64
commit 1556800c18
2 changed files with 6 additions and 2 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -156,7 +156,8 @@ class UserAccess(BaseAccess):
    I can see user records when:
     - I'm a superuser.
     - I'm that user.
-     - I'm their org admin.
+     - I'm an org admin (org admins should be able to see all users, in order
+       to add those users to the org).
     - I'm in an org with that user.
     - I'm on a team with that user.
    I can change some fields for a user (mainly password) when I am that user.
@@ -171,6 +172,8 @@ class UserAccess(BaseAccess):
        qs = self.model.objects.filter(is_active=True).distinct()
        if self.user.is_superuser:
            return qs
+        if self.user.admin_of_organizations.count():
+            return qs
        return qs.filter(
            Q(pk=self.user.pk) |
            Q(organizations__in=self.user.admin_of_organizations.all()) |
--- a/awx/main/tests/users.py
+++ b/awx/main/tests/users.py
@@ -226,8 +226,9 @@ class UsersTest(BaseTest):
        url = reverse('api:user_list')
        data3 = self.get(url, expect=200, auth=self.get_super_credentials())
        self.assertEquals(data3['count'], 4)
+        # Normal user is an org admin, can see all users.
        data2 = self.get(url, expect=200, auth=self.get_normal_credentials())
-        self.assertEquals(data2['count'], 2)
+        self.assertEquals(data2['count'], 4)
        data1 = self.get(url, expect=200, auth=self.get_other_credentials())
        self.assertEquals(data1['count'], 2)